On 2017 Jun 12 06:24:08, you wrote to me:

 ML>> intrusion detection systems are the only things i've seen that come
 ML>> close but the connection and attempted login still has to take
 ML>> place... the *ONLY* other option is to get off of port 23 and the
 ML>> other few that MIRAI specifically targets... that includes the
 ML>> default SSH port as well...

 jl> I've just come across a utility, called "PSAD", it is a port scanning
 jl> utility.. if the "danger level" meets a certain threshold, it will
 jl> automatically block the offending IP address. Pretty cool. I'm still
 jl> testing it out at the moment, but this may be what i've been looking
 jl> for.

i can't say that i've ever heard of it but these bots are not port scanning...
they're connecting and spewing their login stream... if there's nothing there
to connect to, they cannot spew and they move on to the next IP address they've
been directed to look at...

)\/(ark

Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... 56. Admit it when you're wrong.
---